Digital Markets and Hidden Noncompliance

Abstract

Regulatory oversight in digital markets is difficult because firms’ behavior is often opaque and large-scale monitoring is costly. This article examines hidden noncompliance in European privacy law by comparing what firms disclose in their privacy policies with what their apps actually do.

Using the European Court of Justice’s 2020 invalidation of the EU-US Privacy Shield as a natural experiment, the study analyzes more than 2,500 apps from the Spanish Google Play Store between 2020 and 2022. It combines automated privacy policy analysis with technical observation of cross-border data flows, allowing the authors to compare firms’ stated compliance with their observed behavior.

The results show a substantial gap between disclosure-based and behavior-based compliance assessments. While privacy-policy analysis suggested that 17.8% of apps were noncompliant shortly after the Schrems II decision, observed data flows indicated noncompliance in 63.4% of apps. Two years later, the corresponding figures were 8.2% and 28.8%. These findings suggest that traditional empirical legal methods based solely on firm disclosures may miss over 70% of observed privacy violations.

Key Contributions

• Combines empirical legal analysis with IT security methods to study hidden privacy-law noncompliance.
• Uses Schrems II as a natural experiment to analyze changes in EU-US cross-border data transfers.
• Compares privacy policy disclosures with observed data flows for more than 2,500 Android apps.
• Shows that policy-based legal analysis can substantially underestimate actual noncompliance.
• Highlights the need for regulatory methods that account for limited observability and information asymmetry in digital markets.

👉 Read the paper on SSRN

Recommended citation: A. Zac, S. Bechtold, P. Wey, D. Rodríguez, J.M. Del Alamo. "Digital Markets and Hidden Noncompliance." Journal of Legal Studies, 55(2), 2026.
Download Paper